Skip to content

v1.20.0 - Private registry MAL- detection, Yarn path reconstruction, and --create-pr

Choose a tag to compare

View all tags
@sonukapoor sonukapoor released this 09 Jun 03:20
· 4 commits to main since this release
v1.20.0
This tag was signed with the committer’s verified signature.
sonukapoor Sonu Kapoor
GPG key ID: 3306B2C5600CA6DB
Verified
Learn about vigilant mode.
78aa534
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Added

  • --create-pr flag: after --fix, commits lockfile changes and opens a GitHub PR via gh with a descriptive title listing upgraded packages and vulnerability count
  • --base <branch> flag to set the base branch for --create-pr (default: main)
  • Bun parser updated to reconstruct transitive paths from package relationships; within-range remediation now works for Bun lockfiles
  • pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain regression fixtures
  • CamoFox Browser case study
  • mal-private-registry example fixture demonstrating unverifiable MAL- output for private registry packages

Fixed

  • Yarn Classic parser now reconstructs full transitive dependency paths using BFS graph walk; within-range resolver correctly suggests yarn upgrade <pkg> for deep chains
  • MAL- advisories for packages resolved from a private registry now surface as "Unverifiable (private source)" instead of a false-positive "Malicious" finding

Validation

  • npm test
  • npm run build

Contributors

  • @coder-Yash886 - Yarn parser path reconstruction fix, bun-within-range fixture
  • @Ayush7614 - pnpm-within-range, deep-chain-no-fix, pnpm-aliased-chain fixtures, CamoFox Browser case study
  • @nkgotcode - fixture remediation scan tests

Contributors

nkgotcode, Ayush7614, and coder-Yash886
Assets 3
Loading